Disclosure of information

Over the past few days I have received a number of emails in relation to a password reset from our JIRA installation. Initially the emails where in relation to a password reset for the admin account but then they were in relation to my own account which was worrying. We have noticed that my username has then been used to perform a brute force attack on various other web applications that we host.

I have discovered that the hacker requested the following URL: /jira/secure/IssueNavigator!executeAdvanced.jspa which results in an issue navigator screen with no information however when the manage option is selected it shows a list of user created filters and this shows the Owner's name and username.

Can this disclosure of information be prevented?

Are there other pages which users can access without being logged in and could potentially disclose information?

2 answers

If you have not done so, please contact support. There are security related tools that can access to pages, but they are only as good as the person designing the test cases.

Here is an url what Atlassian does when security vulnerbilities are found.


Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in United States

Topic Tuesday, now on Thursday! :-P

Happy Thursday everyone! This is usually a Tuesday thing but I've been crazy busy.  I finally had a moment to breath and so here we are. Atlassian has several tools and features to help users ...

10 views 0 0
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you